From 88cb8abf51cc98b7d3a628ca73581254a78c5218 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 2 May 2025 08:11:44 -0400
Subject: [PATCH] MT#62735 pull up SRTP decryption

Decrypt SRTP (and possibly discard packet) first, before doing source
address checking/learning.

Change-Id: I2a2cdd94768e93d58e0cdd4614b8ac53ea680724
---
 daemon/media_socket.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/daemon/media_socket.c b/daemon/media_socket.c
index 464bf50be..eb20409ec 100644
--- a/daemon/media_socket.c
+++ b/daemon/media_socket.c
@@ -2778,6 +2778,17 @@ static int stream_packet(struct packet_handler_ctx *phc) {
 	// this sets rtcp, in_srtp, and sinks
 	media_packet_rtcp_demux(phc);
 
+	// this set payload_type, ssrc_in, and mp payloads
+	media_packet_rtp_in(phc);
+
+	// decrypt in place
+	// XXX check handler_ret along the paths
+	handler_ret = media_packet_decrypt(phc);
+	if (handler_ret < 0)
+		goto out; // receive error
+
+	rtp_padding(phc->mp.rtp, &phc->mp.payload);
+
 	if (media_packet_address_check(phc))
 		goto drop;
 
@@ -2788,9 +2799,6 @@ static int stream_packet(struct packet_handler_ctx *phc) {
 	if (!is_blackhole)
 		is_blackhole = !phc->rtcp && !MEDIA_ISSET(phc->mp.media, RECV);
 
-	// this set payload_type, ssrc_in, and mp payloads
-	media_packet_rtp_in(phc);
-
 	if (phc->mp.rtp)
 		ilog(LOG_DEBUG, "Handling packet: remote %s%s%s (expected: %s%s%s) -> local %s "
 				"(RTP seq %u TS %u SSRC %s%x%s)",
@@ -2825,14 +2833,6 @@ static int stream_packet(struct packet_handler_ctx *phc) {
 		}
 	}
 
-	// decrypt in place
-	// XXX check handler_ret along the paths
-	handler_ret = media_packet_decrypt(phc);
-	if (handler_ret < 0)
-		goto out; // receive error
-
-	rtp_padding(phc->mp.rtp, &phc->mp.payload);
-
 	// If recording pcap dumper is set, then we record the call.
 	if (phc->mp.call->recording && !rtpe_config.rec_egress)
 		dump_packet(&phc->mp, &phc->s);